Scan Cloud Volumes ONTAP and on-premises ONTAP volumes with BlueXP classification
Suggest changes
PDFs
Complete a few steps to start scanning your Cloud Volumes ONTAP and on-premises ONTAP volumes using BlueXP classification.
Prerequisites
Before you enable BlueXP classification, make sure you have a supported configuration.
-
If you are scanning Cloud Volumes ONTAP and on-premises ONTAP systems that are accessible over the internet, you can deploy BlueXP classification in the cloud or in an on-premises location that has internet access.
-
If you are scanning on-premises ONTAP systems that have been installed in a dark site that has no internet access, you need to deploy BlueXP classification in the same on-premises location that has no internet access. This also requires that the BlueXP Connector is deployed in that same on-premises location.
Enable BlueXP classification scanning in your working environments
You can enable BlueXP classification scanning on Cloud Volumes ONTAP systems in any supported cloud provider, and on on-premises ONTAP clusters.
-
From the BlueXP left navigation menu, select Governance > Classification.
-
From the BlueXP classification menu, select Configuration.
The Configuration page shows multiple working environments.
-
Choose a working environment and select Configuration.
-
If you don't care if the last access time is reset, turn the Scan when missing "write attributes" permissions switch ON and all files are scanned regardless of the permissions.
The switch at the top of the page for Scan when missing "write attributes" permissions is disabled by default. This means that if BlueXP classification doesn't have write attributes permissions in CIFS, or write permissions in NFS, that the system won't classify the files because BlueXP classification can't revert the "last access time" to the original timestamp. Learn more.
-
Select how you want to scan the volumes in each working environment. Learn about mapping and classification scans:
-
To map all volumes, select Map.
-
To map and classify all volumes, select Map & Classify.
-
To customize scanning for each volume, select Custom, and then choose the volumes you want to map and/or classify.
-
-
In the confirmation dialog box, select Approve to have BlueXP classification start scanning your volumes.
BlueXP classification starts scanning the volumes you selected in the working environment. Results start to appear in the Compliance dashboard as soon as BlueXP classification starts the scan. The time that it takes to complete depends on the amount of data—it could be a few minutes or hours.
|
BlueXP classification scans only one file share under a volume. If you have multiple shares in your volumes, you'll need to scan those other shares separately as a shares group. See more details about this BlueXP classification limitation. |
Verify that BlueXP classification has access to volumes
Make sure that BlueXP classification can access volumes by checking your networking, security groups, and export policies. You'll need to provide BlueXP classification with CIFS credentials so it can access CIFS volumes.
-
Make sure that there's a network connection between the BlueXP classification instance and each network that includes volumes for Cloud Volumes ONTAP or on-prem ONTAP clusters.
-
Ensure that the security group for Cloud Volumes ONTAP allows inbound traffic from the BlueXP classification instance.
You can either open the security group for traffic from the IP address of the BlueXP classification instance, or you can open the security group for all traffic from inside the virtual network.
-
Ensure that NFS volume export policies include the IP address of the BlueXP classification instance so it can access the data on each volume.
-
If you use CIFS, provide BlueXP classification with Active Directory credentials so it can scan CIFS volumes.
-
From the BlueXP left navigation menu, select Governance > Classification.
-
From the BlueXP classification menu, select Configuration.
-
For each working environment, select Edit CIFS Credentials and enter the user name and password that BlueXP classification needs to access CIFS volumes on the system.
The credentials can be read-only, but providing admin credentials ensures that BlueXP classification can read any data that requires elevated permissions. The credentials are stored on the BlueXP classification instance.
If you want to make sure your files "last accessed times" are unchanged by BlueXP classification scans, it's recommended the user has Write Attributes permissions in CIFS or write permissions in NFS. If possible, configure the Active Directory user as part of a parent group in the organization which has permissions to all files.
After you enter the credentials, you should see a message that all CIFS volumes were authenticated successfully.
-
-
On the Configuration page, select Configuration to review the status for each CIFS and NFS volume and correct any errors.
Disable compliance scans on volumes
You can start or stop mapping-only scans, or mapping and classification scans, in a working environment at any time from the Configuration page. You can also change from mapping-only scans to mapping and classification scans, and vice-versa. We recommend that you scan all volumes.
|
|
New volumes added to the working environment are automatically scanned only when you have set the Map or Map & Classify setting in the heading area. When the option is set to Custom or Off in the heading area, you'll need to activate mapping and/or full scanning on each new volume you add in the working environment. |
-
From the BlueXP classification menu, select Configuration.
-
Select the Configuration button for the working environment that you want to change.
-
Do one of the following:
-
To disable scanning on a volume, in the volume area, select Off.
-
To disable scanning on all volumes, in the heading area, select Off.
-